我的一个例子/var/log/apache2/error.log:
[Sun Apr 10 23:33:12 2011] [error] [client 173.242.122.8] Invalid URI in request GET /bin/scripts/../../../../winnt/system32/cmd.exe /c+dir?/c+dir%20c:\\ HTTP/1.0
[Sun Apr 10 23:33:13 2011] [error] [client 173.242.122.8] Invalid URI in request GET /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir HTTP/1.0
[Sun Apr 10 23:33:13 2011] [error] [client 173.242.122.8] Invalid URI in request GET /bin/scripts/../../../../winnt/system32/cmd.exe?/c+dir%20c:\\ HTTP/1.0
[Sun Apr 10 23:33:13 2011] [error] [client 173.242.122.8] File does not exist: /var/www/bin
[Sun Apr 10 23:52:20 2011] [error] [client 173.242.122.8] script not found or unable to stat: /usr/lib/cgi-bin/allmanage
[Sun Apr 10 23:52:30 2011] [error] [client 173.242.122.8] script not found or unable to stat: /usr/lib/cgi-bin/allmanageup.pl
[Sun Apr 10 23:53:02 2011] [error] [client 173.242.122.8] script not found or unable to stat: /usr/lib/cgi-bin/AnyBoard.cgi
[Sun Apr 10 23:53:02 2011] [error] [client 173.242.122.8] script not found or unable to stat: /usr/lib/cgi-bin/anyboard.cgi
[Sun Apr 10 23:53:03 2011] [error] [client 173.242.122.8] script not found or unable to stat: /usr/lib/cgi-bin/AnyForm
[Sun Apr 10 23:53:03 2011] [error] [client 173.242.122.8] script not found or unable to stat: /usr/lib/cgi-bin/AnyForm.cgi
[Sun Apr 10 23:53:05 2011] [error] [client 173.242.122.8] script not found or unable to stat: /usr/lib/cgi-bin/AnyForm2
这个清单可以列很多,巨大的。
我是否应该对此采取行动?我是否应该担心?我是否应该禁止该 IP?
答案1
这是一个扫描漏洞的程序。
如果您的网站没有使用易受攻击的框架/博客/CMS,那么您可能不必过于担心;如果他们没有发现任何东西,那只是浪费资源。但是,如果它尝试的任何 URL 与您网站上的 URL 匹配,那么扫描仪就完成了它的工作——并且该 IP 上的人扫描时现在有关于他们如何闯入的信息。在扫描期间检查您的访问日志,查找该 IP 的非 4xx 响应。
有趣的是,IP 可能在过去 3 天内发生了变化……因此,此时禁止该 IP 可能不会起到太大作用。唯一可靠的阻止方法是更新和/或禁用易受攻击的应用程序,和/或关闭服务器。